Road to Mac OS X Snow Leopard: 64-bit security

In addition to expanded sandboxing, the move to 64-bit computing will provide a series of other benefits related to security. Apple's 64-bit binaries set all writable memory as non-executable by default, including thread stacks, the heap, and any other writable data segments.

This is already present to an extent in today's Leopard Server, which runs some services, such as the Apache web server, as 64-bit processes. Using the vmmap command reveals that no memory allocated by these 64-bit apps is both writable and executable. On 32-bit Intel systems, while no memory is marked as both writable and executable, the legacy x86 processor design does not enforce the permissions bits, but 64-bit CPUs do. This feature prevents exploits from injecting malicious executable code into memory and tricking the app to run it as it if were its own instructions.

Another security weakness in the x86 architecture solved in the move to 64-bits is the use of registers for function call arguments. This makes exploits using return-into-libc techniques much more difficult. On 32-bit x86, function arguments are passed directly on the stack, so when an attacker has overwritten the stack segment, they can completely control the arguments passed to a function that they cause the compromised program to "return into," according to a security researcher.

The move to 64-bits also greatly enhances the Address Space Layout Randomization (ASLR) techniques used to secure Leopard. Currently, 32-bit binaries are restricted to a relatively small 4GB allocation, making it easier to predict useful addresses for malicious code to target. Additionally, Leopard keeps dyld, Mac OS X's dynamic loader (responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass the existing ASLR.

With the much larger address space available to 64-bit binaries, Snow Leopard's ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the "vast majority of these exploits will fail," the security expert explained.

Security before it's needed

Apple's sheltered existence in isolation from regular malware attacks puts it in the enviable position of being able to focus on building security features proactively, rather than in response to ongoing, embarrassing exploits. For Mac users, that means the window of opportunity for malware exploits is being closed off before circumstances change enough for the platform to become a viable target.

The company is being relatively quiet about its security efforts because it doesn't want to be directly compared against Microsoft, which is ahead in some security areas, at least in its latest software releases. However, Microsoft's installed base of the billion PCs running Windows worldwide is not protected by advancements in the latest releases because relatively few users have upgraded to the latest releases.

That give Apple a strong position in maintaining its security halo because the Windows PC world is so rife with low hanging fruit for malicious attackers that the Mac platform remains an undesirable target. That leaves disgruntled pundits with nothing to complain about outside of misleading vulnerability counts. So while PC users contend with the constant din of security issues and performance sapping layers of security software, Mac users are free to just enjoy the silence.

Road to Mac OS X Snow Leopard: 64-bit security is the fifth installment in AppleInsider's ongoing Road to Mac OS Snow Leopard series. Previous installments are listed below in the order they were published.

In addition to the benefits detailed in previous articles in this series, the move to 64-bits in Mac OS X 10.6 Snow Leopard will enhance Apple's efforts to secure its operating system....

Fantastic article, and so nice to get away from talking about Steve Jobs health and all the negative crap and be positive for a change. This is the kind of article this site used to be known for and should promote.

Thanks for an interesting article but I'm not sure I agree with the old argument that it's smaller market share that means the Mac hasn't been worth targetting by malware writers. You need to think about who is finding the exploits and writing the viruses... mainly intelligent but poor young programmers in places like eastern Europe or in the developing world. In the absence of good local job prospects it makes perfect rational sense for them to turn their efforts to computer crime instead. People like that are far more likely to only have an old 386 machine available to them rather than a shiny new Mac, so that's what they work on. Give these people a bunch of Macs and time to learn them and they'll be just as happy targetting OS X though. As more people program for the Mac the risks to OS X will undoubtedly increase.

Fantastic article, and so nice to get away from talking about Steve Jobs health and all the negative crap and be positive for a change. This is the kind of article this site used to be known for and should promote.

Agreed! It doesn't make specious claims about how vastly wonderful MacOS X is compared to everything else... it just presents the information in a well-written piece. Nice work.

Thanks for an interesting article but I'm not sure I agree with the old argument that it's smaller market share that means the Mac hasn't been worth targetting by malware writers. You need to think about who is finding the exploits and writing the viruses... mainly intelligent but poor young programmers in places like eastern Europe or in the developing world. In the absence of good local job prospects it makes perfect rational sense for them to turn their efforts to computer crime instead. People like that are far more likely to only have an old 386 machine available to them rather than a shiny new Mac, so that's what they work on. Give these people a bunch of Macs and time to learn them and they'll be just as happy targetting OS X though. As more people program for the Mac the risks to OS X will undoubtedly increase.

Also, it's worth looking at the weakest link in the security chain... the person sitting at the keyboard. MacOS X's insistence on no "root" account and requiring a password for significant operations has made it so, as far as I'm aware, every piece of malware for the Mac has so far required the user to explicitly download it and type their password to get infected. Ignoring the purely software-based attack, that has probably helped save many MacOS X systems from harm.

Thanks for an interesting article but I'm not sure I agree with the old argument that it's smaller market share that means the Mac hasn't been worth targetting by malware writers. You need to think about who is finding the exploits and writing the viruses... mainly intelligent but poor young programmers in places like eastern Europe or in the developing world. In the absence of good local job prospects it makes perfect rational sense for them to turn their efforts to computer crime instead. People like that are far more likely to only have an old 386 machine available to them rather than a shiny new Mac, so that's what they work on. Give these people a bunch of Macs and time to learn them and they'll be just as happy targetting OS X though. As more people program for the Mac the risks to OS X will undoubtedly increase.

rhowarth, you have no sense of how we live in so called ,,poor eastern European countries". I can guarantee that most of the programmers here have at least as good live standard than most people in western Europe . Average income of qualified programmer here (Slovak Republic) is about 3000 Euros. Most of the serious programmers take much, much more. Given to lower prices of commodities live standard is quite good.

Trust me, economy boom here still persists (even in the current hard economic times). People are building new houses (no, not from straw) and have quite good cars (mostly VW, Skoda - newer ones, Peugeots, BMWs). We have now almost as good live standard as people in Italy, Spain or Austria.

Of course, there are also quite a lot people without higher education, working as common worker, mainly in car industry (Audi Q7s and Porsche Cayenne are made in Slovakia, also Kia, Peugeots). But these people also don't leave in shacks.

People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.

Oh, I'm quite young IT consultant from Slovakia, currently writing from my MacBook Pro 17" with 20" Cinema display, using Time Capsule and iPhone. Driving VW Passat Combi. Sounds poor to you? Trust me, capable and intelligent young people don't have much problems with money here. Oh, we have just changed our currency to Euro.

rhowarth, you have no sense of how we live in so called poor eastern European countries. I can guarantee that most of the programmers here have at least as good live standard than most people in western Europe . Average income of qualified programmer here (Slovak Republic) is about 3000 Euros. Most of the serious programmers take much, much more. Given to lower prices of commodities live standard is quite good.

Trust me, economy boom here still persists (even in the current hard economic times). People are building new houses (no, not from straw) and have quite good cars (mostly VW, Skoda newer ones, Peugeots, BMWs). We have now almost as good live standard as people in Italy, Spain or Austria.

Of course, there are also quite a lot people without higher education, working as common worker, mainly in car industry (Audi Q7s and Porsche Cayenne are made in Slovakia, also Kia, Peugeots). But these people also don't leave in shacks.

People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.

Oh, I'm quite young IT consultant from Slovakia, currently writing from my MacBook Pro 17" with 20" Cinema display, using Time Capsule and iPhone. Driving VW Passat Combi. Sounds poor to you? Trust me, capable and intelligent young people don't have much problems with money here. Oh, we have just changed our currency to Euro.

So, now when you're done massaging your ego (which was pretty pathetic, sorry), maybe it's time to tell you that Slovakia is part of Central Europe, at least when economic, historical, religious, and cultural reasons are taken into account.

So, now when you're done massaging your ego (which was pretty pathetic, sorry), maybe it's time to tell you that Slovakia is part of Central Europe, at least when economic, historical, religious, and cultural reasons are taken into account.

Well, there's no need to be so rude!! I'd say you are the pathetic one with such an uncalled for outburst. What! Someone burst your bubble today?

Personally I found it interesting to hear how things are in Slovakia these days.

@Zhujo - Unfortunately in these open forums you do get some ignorant people posting. Good to hear you are enjoying life, which obviously this other poster is not!

[QUOTE=ZhuJo;1364163People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.[/QUOTE]

You're right of course, and I'm certainly not suggesting people in Eastern Europe live in shacks. If anything, that's what we'll be doing in the UK before too long if the credit crunch lasts!

In general though I still think the kind of people who write viruses are more likely to have PCs simply because that's what available to them and what they're already familiar with, rather than because they've sat down, analysed the problem, and concluded that targetting PCs is more cost effective so that's what machine they'll buy.